CFATS and Industry

One of the interesting aspects of much of the public reporting (see here, here, and here for instance) on the termination of the CFATS program is the number of comments from industry organizations supporting the Chemical Facility Anti-Terrorism Standards (CFATS) program. In fact, two major chemical organizations (the American Chemistry Council and the National Association of Chemical Distributors) published press releases calling for Congress to quickly reinstate the program.

Those of us who have been following the CFATS program for some time (since its inception here) are not surprised, chemical manufacturing associations have been long time supporters of the program. Nobody has looked at the apparent contradiction of their support for a costly regulatory program. One of the reasons is that DHS/CISA have always attempted to work with industry to make sure that the regulatory scheme works in the field, even where industry opposed extensions of the program (most memorable is the implementation of the personnel surety vetting program).

Another reason is that the program works with covered facilities to develop security measures that make sense for that particular facility. Every chemical facility is a unique entity and trying to force facilities into cookie-cutter security programs would either make them so costly as to be unsupportable or ineffective in many cases. While facility site security plans were required fulfill requirements set forth in the program’s Risk Based Performance Standards, facility management had a great deal of leeway in how they accomplished those requirements.

Both of these factors have been discussed here multiple times, nothing new. There are two other factors that have not been discussed in public. The first of these is that while many companies came to recognize after 9/11 that there were potential security risks many of these companies had concerns that their competitors did not recognize the same level of risk in their facilities. Failure to spend money on costly security measures (and CFATS compliant security measures can be very costly) would give them a cost advantage over their security concerned competitors. With a security regulatory scheme in place, companies were competing on a more level playing field.

Finally, security expenses to meet regulatory requirements are clearly legitimate business expenses and with the CFATS program, the government was the determiner of security risk and the level of security that was required to meet that threat. Lacking this program, facilities will be required to justify their internal risk assessment and the security requirements to meet that level of risk. Preparing for that justification would be an added cost of security which could still be questioned by tax agencies.